@cdot65/prisma-airs-cli
v1.3.0
Published
CLI and library for Palo Alto Prisma AIRS — guardrail refinement, AI red teaming, model security scanning, profile audits
Readme
Prisma AIRS CLI
Full operational coverage over Palo Alto Prisma AIRS AI security — guardrail refinement, runtime scanning, AI red teaming, model security, and profile audits.
Read the full documentation — installation, configuration, architecture, CLI reference, and examples.
Features
- Runtime Scanning — scan prompts and responses against AIRS security profiles, single or bulk with CSV export
- Guardrail Generation — LLM-driven iterative refinement loop that generates, deploys, tests, and improves custom topic definitions until a coverage target is met
- AI Red Teaming — adversarial scanning with static, dynamic, and custom prompt set attack modes
- Model Security — ML model supply chain scanning with security groups, rules, and violation tracking
- Profile Audits — multi-topic evaluation with per-topic metrics and cross-topic conflict detection
- Cross-run Memory — persists learnings across guardrail generation runs for faster convergence
Install
npm install -g @cdot65/prisma-airs-cli
airs --versionRequires Node.js >= 20. Also available via pnpm add -g, npx, or as a Docker image. See the installation guide for details.
Quick Start
# Configure credentials
cp .env.example .env # add your API keys
# Runtime scanning
airs runtime scan --profile "my-profile" "Is this prompt safe?"
airs runtime bulk-scan --profile "my-profile" --input prompts.csv --output results.csv
# Guardrail generation (interactive)
airs runtime topics generate
# Red team scanning
airs redteam scan --target <uuid> --name "Full Scan" --type STATIC
airs redteam report <job-id>
# Model security
airs model-security scans create --config scan-config.jsonCommands
| Command | Description |
|---------|-------------|
| runtime scan | Single prompt scanning against AIRS profiles |
| runtime bulk-scan | Batch prompt scanning with CSV output |
| runtime topics | Custom topic CRUD + guardrail generation (generate, resume, report, runs) |
| runtime profiles | Security profile CRUD (list, get, create, update, delete) + multi-topic audit |
| runtime api-keys | API key management |
| runtime customer-apps | Customer app CRUD |
| runtime deployment-profiles | Deployment profile listing |
| runtime dlp-profiles | DLP profile listing |
| runtime scan-logs | Scan log querying |
| redteam scan | Adversarial scanning (STATIC, DYNAMIC, CUSTOM) |
| redteam targets | Red team target CRUD |
| redteam prompt-sets | Custom prompt set management |
| model-security groups | Security group CRUD |
| model-security rules | Security rule management |
| model-security scans | Model security scanning |
Configuration
Credentials are configured via environment variables or ~/.prisma-airs/config.json. See .env.example for the full list.
Required for scanning: PANW_AI_SEC_API_KEY
Required for management: PANW_MGMT_CLIENT_ID, PANW_MGMT_CLIENT_SECRET, PANW_MGMT_TSG_ID
Required for guardrail generation: one LLM provider key + scanning + management credentials
License
MIT